insights-core icon indicating copy to clipboard operation
insights-core copied to clipboard

Published 20 hours ago verified publisher icon RedHatInsights

feat(pgp): Use crypto.py during Egg and Collection verification

Open m-horky opened this issue 8 months ago • 1 comments

All Pull Requests:

Check all that apply:

  • [x] Have you followed the guidelines in our Contributing document, including the instructions about commit messages?
  • [x] Is this PR to correct an issue?
  • [x] Is this PR an enhancement?

Complete Description of Additions/Changes:

  • Card ID: CCT-131
  • Card ID: CCT-405
  • Card ID: RHEL-2480
  • Card ID: RHEL-2482

This patch adds a self-contained and isolated GPG verification environment. It runs GPG in an isolated environment where only selected PGP keys are allowed to check the file signature matches its file.

GPG creates a directory $HOME/.gnupg/ every time it performs some operation. When run under root, but not manually (e.g. via subscription-manager Cockpit plugin), it tries to create and write to this directory, which pollutes user directories and/or causes SELinux denials.

This patch utilizes the --homedir argument GPG supports in order to move the GPG home directory to a temporary directory for the time of the transaction. After the GPG action is performed, the directory is cleaned up.

This PR is an improvement over previously reverted https://github.com/RedHatInsights/insights-core/pull/3930

m-horky avatar Jun 25 '24 09:06 m-horky